Bug 15065 - Folder & file access permissions given to owner are derived from group setting
Summary: Folder & file access permissions given to owner are derived from group setting
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.16.1
Hardware: x86 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2022-05-13 03:50 UTC by Bill Burgess
Modified: 2022-05-23 17:50 UTC (History)
0 users

See Also:

log.smbd, level 10, for mounting share (at 10:25:02) and attempting open of 700 file (at 10:25:15) (336.73 KB, text/plain)
2022-05-13 17:48 UTC, Bill Burgess
no flags Details
log.smbd, level 10, for mounting share (at 12:24:05) and opening of 750 file (at 12:24:12) (4.38 MB, text/plain)
2022-05-13 19:41 UTC, Bill Burgess
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bill Burgess 2022-05-13 03:50:26 UTC
A shared folder or file is provided to its owner with group permissions, not owner permissions.

This is especially problematic for a top-level share directory that has permissions 700.  A share whose associated directory has those permissions cannot be mounted at all, even by its owner.

Repeat by:

1.  Find or create a file/folder on the server, somewhere within a share, with permissions 700 (rwx------).
2.  Attempt to open the file/folder via the share client.  Failure.
3.  Back on the server, adjust permissions of the file/folder to 750 (rwxr-x---).
4.  Attempt to view the file/folder via the share client.  Success.
5.  Verify Samba login username by placing a file on the share, then checking at the server to see if the username assigned to the new file matches the owner of the problematic file.

Verified for user "fred" using the following smb.conf (stripped-down vanilla skeleton version)

	workgroup = SAMBA
	security = user

	passdb backend = tdbsam

	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw

	comment = Fred's Directory
	path = /home/fred
	valid users = fred
	browseable = Yes
	read only = No

Environment:  Server is Mac Mini with clean install of Fedora 36 and Samba 4.16.1.  Client is Mac Pro running MacOS "Mojave" 10.14.6.  Previous installation of older Samba on Fedora 35 worked fine in this same environment, so possibly something new in 4.16.1?
Comment 1 Jeremy Allison 2022-05-13 17:11:38 UTC
Can you provide a debug level 10 log of the access failure please ? That will help track this down. Of interest will be the process token used by the smbd whilst trying to get access to the 0700 directory.
Comment 2 Bill Burgess 2022-05-13 17:48:06 UTC
Created attachment 17288 [details]
log.smbd, level 10, for mounting share (at 10:25:02) and attempting open of 700 file (at 10:25:15)

This level 10 portion of log.smbd (4.16.1) shows:

At 10:25:02 AM, user "burgess" (UID 1000) mounts share "pub"
At 10:25:15 AM, user "burgess" attempts to open "foo.txt"

Server-side listing of "pub:
drwxrwxrwx.   2 root root     4096 May 13 10:20 pub

Server-side listing of "foo.txt", a file located directly under "pub":
-rwx------. 1 burgess burgess 32 May 13 10:20 foo.txt

The response from MacOS "Mojave" 10.14.6 was "The document "foo.txt" could not be opened.  You don't have permission."

I hope this gives some clues!
Comment 3 Bill Burgess 2022-05-13 19:41:27 UTC
Created attachment 17289 [details]
log.smbd, level 10, for mounting share (at 12:24:05) and opening of 750 file (at 12:24:12)

This level 10 portion of log.smbd (4.16.1) shows:

At 12:24:05 PM, user "burgess" (UID 1000) mounts share "pub"
At 12:24:12 PM, user "burgess" successfully opens file "bar.txt"

Server-side listing of "pub":
drwxrwxrwx.   2 root root     4096 May 13 10:20 pub

Server-side listing of "bar.txt", a file located directly under "pub":
-rwxr-x---. 1 burgess burgess 32 May 13 12:21 bar.txt

Upon double-clicking the file, MacOS "Mojave" 10.14.6 successfully opened the file and displayed the contents.

The only changes between the previous log and this one are the different filename (bar.txt instead of foo.txt, to avoid any caching issues) and the fact that bar.txt was set with server-side protections of 750 instead of 700.
Comment 4 Bill Burgess 2022-05-22 20:05:31 UTC
This bug has gone away after a "dnf update" operation under Fedora 36.  The update did NOT include any named samba components.  I hereby invite the maintainers to change the status of this issue, if they wish.

For posterity and interest, below is a list of the packages that were involved in this update that, apparently, somehow made this problem go away.  The previous kernel before the update, and under which the reported issue manifested, was 5.17.6-300.fc36.x86_64.  Whether that has anything to do with anything, I have no idea.

Many thanks for all you do and your willingness to explore reported issues!

 Package                            Arch   Version                Repo     Size
 kernel                             x86_64 5.17.8-300.fc36        updates 164 k
 NetworkManager                     x86_64 1:1.38.0-1.fc36        updates 2.1 M
 NetworkManager-adsl                x86_64 1:1.38.0-1.fc36        updates  26 k
 NetworkManager-bluetooth           x86_64 1:1.38.0-1.fc36        updates  53 k
 NetworkManager-libnm               x86_64 1:1.38.0-1.fc36        updates 1.7 M
 NetworkManager-ppp                 x86_64 1:1.38.0-1.fc36        updates  36 k
 NetworkManager-team                x86_64 1:1.38.0-1.fc36        updates  30 k
 NetworkManager-wifi                x86_64 1:1.38.0-1.fc36        updates 127 k
 NetworkManager-wwan                x86_64 1:1.38.0-1.fc36        updates  59 k
 anaconda-core                      x86_64 36.16.5-2.fc36         updates 2.2 M
 anaconda-gui                       x86_64 36.16.5-2.fc36         updates 454 k
 anaconda-tui                       x86_64 36.16.5-2.fc36         updates 192 k
 anaconda-widgets                   x86_64 36.16.5-2.fc36         updates 133 k
 authselect                         x86_64 1.4.0-1.fc36           updates 139 k
 authselect-libs                    x86_64 1.4.0-1.fc36           updates 234 k
 blivet-data                        noarch 1:3.4.4-1.fc36         updates 110 k
 clutter-gst3                       x86_64 3.0.27-9.fc36          updates  84 k
 cockpit                            x86_64 269-1.fc36             updates  43 k
 cockpit-bridge                     x86_64 269-1.fc36             updates 484 k
 cockpit-networkmanager             noarch 269-1.fc36             updates 520 k
 cockpit-packagekit                 noarch 269-1.fc36             updates 589 k
 cockpit-selinux                    noarch 269-1.fc36             updates 214 k
 cockpit-storaged                   noarch 269-1.fc36             updates 595 k
 cockpit-system                     noarch 269-1.fc36             updates 2.3 M
 cockpit-ws                         x86_64 269-1.fc36             updates 1.3 M
 dbus-broker                        x86_64 31-1.fc36              updates 176 k
 edk2-ovmf                          noarch 20220221gitb24306f15daa-4.fc36
                                                                  updates 5.1 M
 evince                             x86_64 42.2-2.fc36            updates 1.6 M
 evince-djvu                        x86_64 42.2-2.fc36            updates  31 k
 evince-libs                        x86_64 42.2-2.fc36            updates 382 k
 evince-nautilus                    x86_64 42.2-2.fc36            updates  19 k
 evince-previewer                   x86_64 42.2-2.fc36            updates  35 k
 evince-thumbnailer                 x86_64 42.2-2.fc36            updates  18 k
 firefox                            x86_64 100.0.1-1.fc36         updates 103 M
 gdb-headless                       x86_64 12.1-1.fc36            updates 4.5 M
 glibc                              x86_64 2.35-9.fc36            updates 2.1 M
 glibc-common                       x86_64 2.35-9.fc36            updates 328 k
 glibc-gconv-extra                  x86_64 2.35-9.fc36            updates 1.6 M
 glibc-langpack-en                  x86_64 2.35-9.fc36            updates 583 k
 glusterfs                          x86_64 10.2-1.fc36            updates 613 k
 glusterfs-cli                      x86_64 10.2-1.fc36            updates 185 k
 glusterfs-client-xlators           x86_64 10.2-1.fc36            updates 859 k
 glusterfs-fuse                     x86_64 10.2-1.fc36            updates 141 k
 gnome-classic-session              noarch 42.1-2.fc36            updates  34 k
 gnome-remote-desktop               x86_64 42.1.1-1.fc36          updates 210 k
 gnome-shell                        x86_64 42.1-2.fc36            updates 1.6 M
 gnome-shell-extension-apps-menu    noarch 42.1-2.fc36            updates  17 k
 gnome-shell-extension-common       noarch 42.1-2.fc36            updates 135 k
                                    noarch 42.1-2.fc36            updates  11 k
 gnome-shell-extension-places-menu  noarch 42.1-2.fc36            updates  16 k
 gnome-shell-extension-window-list  noarch 42.1-2.fc36            updates  24 k
 gtk-update-icon-cache              x86_64 3.24.34-1.fc36         updates  34 k
 gtk3                               x86_64 3.24.34-1.fc36         updates 4.9 M
 gtk4                               x86_64 4.6.4-1.fc36           updates 4.8 M
 gtksourceview5                     x86_64 5.4.1-2.fc36           updates 996 k
 iwl100-firmware                    noarch     updates 137 k
 iwl1000-firmware                   noarch 1:   updates 248 k
 iwl105-firmware                    noarch    updates 216 k
 iwl135-firmware                    noarch    updates 225 k
 iwl2000-firmware                   noarch    updates 219 k
 iwl2030-firmware                   noarch    updates 227 k
 iwl3160-firmware                   noarch 1:  updates 2.5 M
 iwl3945-firmware                   noarch     updates  78 k
 iwl4965-firmware                   noarch   updates  91 k
 iwl5000-firmware                   noarch    updates 362 k
 iwl5150-firmware                   noarch      updates 134 k
 iwl6000-firmware                   noarch     updates 153 k
 iwl6000g2a-firmware                noarch    updates 334 k
 iwl6000g2b-firmware                noarch    updates 340 k
 iwl6050-firmware                   noarch     updates 292 k
 iwl7260-firmware                   noarch 1:  updates  15 M
 iwlax2xx-firmware                  noarch 20220509-132.fc36      updates  39 M
 libbpf                             x86_64 2:0.7.0-3.fc36         updates 159 k
 libertas-usb8388-firmware          noarch 2:20220509-132.fc36    updates 102 k
 libgfapi0                          x86_64 10.2-1.fc36            updates  91 k
 libgfrpc0                          x86_64 10.2-1.fc36            updates  57 k
 libgfxdr0                          x86_64 10.2-1.fc36            updates  31 k
 libglusterd0                       x86_64 10.2-1.fc36            updates  14 k
 libglusterfs0                      x86_64 10.2-1.fc36            updates 299 k
 librsvg2                           x86_64 2.54.3-1.fc36          updates 3.6 M
 linux-firmware                     noarch 20220509-132.fc36      updates 203 M
 linux-firmware-whence              noarch 20220509-132.fc36      updates  49 k
 mutter                             x86_64 42.1-2.fc36            updates 2.4 M
 network-manager-applet             x86_64 1.26.0-2.fc36          updates 199 k
 nm-connection-editor               x86_64 1.26.0-2.fc36          updates 818 k
 osinfo-db                          noarch 20220516-1.fc36        updates 257 k
 ostree                             x86_64 2022.3-3.fc36          updates 234 k
 ostree-libs                        x86_64 2022.3-3.fc36          updates 432 k
 pcsc-lite                          x86_64 1.9.7-1.fc36           updates  93 k
 pcsc-lite-libs                     x86_64 1.9.7-1.fc36           updates  28 k
 pipewire                           x86_64 0.3.51-2.fc36          updates  39 k
 pipewire-alsa                      x86_64 0.3.51-2.fc36          updates  62 k
 pipewire-gstreamer                 x86_64 0.3.51-2.fc36          updates  61 k
 pipewire-jack-audio-connection-kit x86_64 0.3.51-2.fc36          updates 135 k
 pipewire-libs                      x86_64 0.3.51-2.fc36          updates 1.6 M
 pipewire-pulseaudio                x86_64 0.3.51-2.fc36          updates  27 k
 pipewire-utils                     x86_64 0.3.51-2.fc36          updates 331 k
 python3-blivet                     noarch 1:3.4.4-1.fc36         updates 811 k
 rit-meera-new-fonts                noarch 1.3-1.fc36             updates 180 k
 rsync                              x86_64 3.2.4-1.fc36           updates 400 k
 rsyslog                            x86_64 8.2204.0-1.fc36        updates 781 k
 switcheroo-control                 x86_64 2.5-1.fc36             updates  39 k
 vim-common                         x86_64 2:8.2.4975-1.fc36      updates 7.0 M
 vim-data                           noarch 2:8.2.4975-1.fc36      updates  27 k
 vim-default-editor                 noarch 2:8.2.4975-1.fc36      updates  20 k
 vim-enhanced                       x86_64 2:8.2.4975-1.fc36      updates 1.9 M
 vim-filesystem                     noarch 2:8.2.4975-1.fc36      updates  22 k
 vim-minimal                        x86_64 2:8.2.4975-1.fc36      updates 724 k
 wireplumber                        x86_64 0.4.10-1.fc36          updates  80 k
 wireplumber-libs                   x86_64 0.4.10-1.fc36          updates 318 k
Installing dependencies:
 kernel-core                        x86_64 5.17.8-300.fc36        updates  46 M
 kernel-modules                     x86_64 5.17.8-300.fc36        updates  53 M